Lying about your age online or saying you're tall, dark, and handsome in your …

Violating an employer's computer use policy or a website's terms of service is not a hacking crime covered by US statutes, a federal appeals court ruled on Tuesday.

The US Ninth Circuit Court of Appeals made the determination in a criminal case filed against a former employee of an executive search firm who convinced some of his former colleagues to use their login credentials to download names and contact data from the company's confidential database. Federal prosecutors indicted him on charges involving trade-secret theft, mail fraud, and conspiracy, in addition to violations of the 1984 Computer Fraud and Abuse Act (CFAA), which outlaws computer use that "exceeds authorized access."

A lower court judge dismissed the CFAA charges on grounds that employees were legally authorized to access the database and only violated the employer's restriction on the way the information could be used. A majority of judges hearing an appeal of that dismissal upheld the decision, arguing that to hold otherwise would criminalize even casual terms of service violations imposed by social networking services, online retailers, and search engines.

"The government's construction of the statute would expand its scope far beyond computer hacking to criminalize any unauthorized use of information obtained from a computer," Alex Kozinski, chief judge for the San Francisco-based appeals court, wrote for the nine-judge majority. "This would make criminals of large groups of people who would have little reason to suspect they are committing a federal crime. While ignorance of the law is no excuse, we can properly be skeptical as to whether Congress, in 1984, meant to criminalize conduct beyond that which is inherently wrongful, such as breaking into a computer."

The concern is more than mere hypothesis, as the majority opinion went on to note. In 2008, federal prosecutors charged a Missouri woman after she masqueraded as a 16-year-old boy and struck up a correspondence with a teenage girl who later went on to commit suicide. The CFAA charges filed against 49-year-old Lori Drew hinged on a fake MySpace profile she set up in violation of the site's terms of service. By flouting requirements imposed by MySpace, the government argued, she exceeded her authority to access the service.

"Lying on social media websites is common," Kozinski wrote. "People shave years off their age, add inches to their height and drop pounds from their weight. The difference between puffery and prosecution may depend on whether you happen to be someone an [assistant United States attorney] has reason to go after."

The majority opinion also notes that many service terms are "private policies that are lengthy, opaque, subject to change, and seldom read." One example of the vagueness of such policies is the requirement imposed by many employers that company computer use must be for business purposes only. Would using the Internet to check the weather forecast for an upcoming business trip run afoul of such a requirement? What about for a company softball game or for a vacation to Hawaii?

"Basing criminal liability on violations of private computer use policies can transform whole categories of otherwise innocuous behavior into federal crimes simply because a computer is involved," the opinion continued. "Employees who call family members from their work phones will become criminals if they send an email instead. Employees can sneak in the sports section of the New York Times to read at work, but they'd better not visit ESPN.com."

Drawing a dividing line

At the heart of Tuesday's decision was language in the CFAA that defines exceeding authorized access as the accessing of "a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter." The term "entitled" refers to the way the user obtains or alters the data, the majority reasoned, while the policy the former employee was accused of violating used "entitle" to limit how the information could be used after it was obtained.

The judges noted that at least three other federal appeals courts—the 11th Circuit in 2010, the Fifth Circuit in the same year, and the Seventh Circuit in 2006—have arrived at vastly different interpretations of the CFAA. For the time being, that means lower courts in different parts of the country will be bound by competing guidance. That makes the issue ripe for review by the US Supreme Court unless the appeals courts change their minds. Indeed, the Ninth Circuit majority called on its sister courts to reconsider their rulings.

"These courts looked only at the culpable behavior of the defendants before them, and failed to consider the effect on millions of ordinary citizens caused by the statute's unitary definition of 'exceeds authorized access,'" the opinion stated. "They therefore failed to apply the long-standing principle that we must construe ambiguous criminal statutes narrowly so as to avoid 'making criminal law in Congress's stead,'" the majority continued, quoting from the 2008 US Supreme Court ruling known as United States v. Santos.

Two judges on the 11-judge panel disagreed and warned that the majority was parsing the CFAA in a "hyper-complicated way" that distorted Congress's intentions when the statute was drafted.

"A bank teller is entitled to access a bank's money for legitimate banking purposes, but not to take the bank's money for himself," the dissenting opinion, written by Judge Barry G. Silverman and joined by Judge Richard C. Tallman, stated. "A new car buyer may be entitled to take a vehicle around the block on a test drive. But the buyer would not be entitled—he would 'exceed his authority'—to take the vehicle to Mexico on a drug run."

At times, the text of the 22-page decision read more like an Ars article than an appeals court ruling. Online services mentioned included Reason.TV, Google Chat, Farmville, Amazon, Facebook, eBay, YouTube, and the IMDB, as well as gadgets including the iPad, Kindle, Nook, and Xbox (mistakenly referred to as X-box).

When anyone uses any of these, "we are using one computer to send commands to other computers at remote locations," the majority said. "Our access to those remote computers is governed by a series of private agreements and policies that most people are only dimly aware of and virtually no one reads or understands."

Did you even read the article? It's not about passing more laws, it's about district attorneys trying to stretch the interpretation of existing laws so they can pad on extra charges in order to intimidate people into taking plea bargains.

Did you even read the article? It's not about passing more laws, it's about district attorneys trying to stretch the interpretation of existing laws so they can pad on extra charges in order to intimidate people into taking plea bargains.

Very true. Of course, it would help if Legislators would craft less laws, specify criminal behavior very succinctly, and stop making everything a felony to get people's attention.

They just did, right here. TOS's are, broadly speaking, the private sector's attempts to force one-sided anti-consumerist agendas upon their customers, and erode the idea of private property. Right here, the government took a modest step against those private-sector initiatives.

This is absolutely the correct ruling in my opinion. To me what the government was trying to do here is allow private companies to write the law. In this case they were using the CFAA to criminalize the policies written by a private company, effectively saying that with regard to computer access "whatever a private company decides is the law". This is a dangerous thing since as we have seen these policies can change often, are overly broad, and not subject to review by the judicial branch. Criminal law (and really all law) should have a high barrier to be made. It must require agreement by the legislative and be signed into law by the executive. It cannot be changed easily and without warning as private companies sometimes do with their own internal policies.

I'm sorry but those dissenting judges are a couple of morons in this case. The clients that this party is trying to snatch away from the company is different from a bank teller snatching money from a bank. The clients can decide if they want to stay or jump ship and their information is still residing on the company's confidential database. Money taken from a bank doesn't usually stay in the vault and goes where it's told. The idiot should have compared it to the teller snatching the client info from the bank and trying to get them move to another bank. And if anything this guy is guilty of is being damn good at social engineering.

I'm appalled that there would even be dissent in such a matter. These kinds of agreements aren't even legally binding contracts - much less a way to charge someone with a felony. They're the digital equivalent of a "no shirts, no shoes, no service" sign on the door of your local restaurant - a warning to those entering of the various policies that will result in the denial of access to the establishment.

When you do happen to walk into such places without shoes, they don't charge you with a federal crime for improper footwear. They kick you out of the store. The store isn't allowed to write its own laws and impose them on its clientele.

The court's ruling is probably good for me. I don't know how I'd manage to use computers at all, much less the internet, without agreeing to some of these long-winded TOS. (I used to have a lot of fun with EULAlyzer, then got bored with it...) I'm sure I've run afoul of many items in various TOS, and I hardly ever go back to the URL to look for items that have been changed at any time for any reason.

... Of all the bleedingly obvious things... of course a contract isn't a law... How the hell did it even get this far...

IANAL, but as I understand it, they said not only are these contracts not law, they're not even contracts. The idea behind contracts is that two parties negotiate a relationship amenable to both. These EULAs and TOSs are not negotiated. As another poster mentioned, they're more like signs posted in the window, except that they're illegible. It's more like the handle on the door has tiny middle English writing etched on it and the customer is expected to abide by that writing because their hand touched it on the way in. It's not a contract, it's a nuisance.

danstl wrote:

This is BS - then all contracts are non enforceable...

You agree to something - using an "electronic signature" something that most states see as a legal binding agreement, and yet we completely throw it away..

I guess privacy statements and the such from places like facebook have the same inverse...

There's a huge difference between clicking past a TOS or EULA and initialing every item and signing at the bottom of a real physical contract. When confronted with ones own handwriting, one will have a very hard time claiming they didn't know what they were signing up for. When confronted with a log entry claiming they clicked past a contract, it is incredibly easy to respond with a mere "says you!"

Clicking "I accept" is not a digital signature. It's basically nothing at all because it can be spoofed. Digital contracts will be meaningless until our culture fully adopts digital signatures as a fundamental part of being a responsible human.

tungsten2k wrote:

Whelp - there goes the "But giving you my FB login is illegal because it is against the FB ToS Mr. Potential Employer" defense…

Fortunately we can still use the "my web site login information is not relevant to the hiring process" defense.

You agree to something - using an "electronic signature" something that most states see as a legal binding agreement, and yet we completely throw it away..

EULAs are normally deemed contracts of adhesion. What this means in practice is that they're not really contracts at all.

If you violate a EULA and are taken to court, the issue is almost certainly going to be decided on one of two principles:1. The "we have the lawyers and the money" principle. Ultimately, a well-heeled corporation can simply run your funds dry if its feeling ornery enough. As a result, most people will simply settle rather than try to fight it out.

2. Implicit contract principles. When you enter into any sort of agreement with another party, there is an implicit contract involved based on a rather fuzzy set of "what seems reasonable" ideas held by the court. However, the exact terms of the contract are minimally relevant. At best, they'd be used to demonstrate that certain provisions are reasonable due to common use.

But I've never heard of a case where a EULA has been deemed a legitimate contract between two parties enforceable in the manner of an actual contract (where the precise terms are legally enforceable as a matter of course).

Quote:

I guess privacy statements and the such from places like facebook have the same inverse...

If I make an intentionally false statement about my product or service in order to gain you as a customer, that's known as fraud.

Taking a car without authorisation is a theft. It is also illegal to "borrow" a car without authorisation (but is it a theft?). Now what is it if you take a car for a test drive (you were allowed 10 minutes) and dwell a little with returning it (you leave it parked at your driveway to impress the neighbors)? Say the salesperson will rapport a theft after you've been gone for 30 minutes and after another 30 minutes you arrive with the car (in pristine condition). Surly the sales person would be pissed, but the theft charges should be dropped, right? What if you keep the car on your driveway for longer: 2 hours, 2 days, 2 weeks? When does it become a crime? Can you be guilty of theft if you were allowed to take it, and returned it of your own will, just later than anticipated? Does it matter if the judge believes you had an initial intent to steal the car but changed your mind and returned it? What if you have reasonable grounds to prove you intended from the beginning to return the car after a specific task, 1 day later (as you did)?After all, the practice of letting people test drive relies on trust, just as borrowing a car from a friend.It surly calls for a civil suit for compensating the unreasonably long time they were without the car.Of course, with information there is nothing to compensate for, as you don't take it away from anyone if you copy it - they can still use it. In fact, there is no equivalent to 'returning the car' for information.Also I don't think the classification of the deed should be changed if the car allowed you to engage in illegal activities. Those activities have their own paragraphs. As do using the information in illegal ways.

We write everything else to (usually) a 4th grade reading level. Laws should be the same.

Every law should be sent to a randomly-selected elementary school. If 3/4 of the main-line 4th grade students can't figure out what the hell the law is supposed to do, it doesn't go to a vote.

A) That has nothing to do with this. The law itself was pretty clear. The prosecution simply tried to broaden its reach to claim that violating an EULA was the same as illegally breaking into a computer system.

B) It would be monumentally stupid to make laws restricted to a 4th grade reading level. Legal terms have specific meaning, just like medical terms have specific meaning. Dropping it to 4th grade level makes it more vague and less helpful for making narrow decisions.

Taking a car without authorisation is a theft. It is also illegal to "borrow" a car without authorisation (but is it a theft?). Now what is it if you take a car for a test drive (you were allowed 10 minutes) and dwell a little with returning it (you leave it parked at your driveway to impress the neighbors)? Say the salesperson will rapport a theft after you've been gone for 30 minutes and after another 30 minutes you arrive with the car (in pristine condition). Surly the sales person would be pissed, but the theft charges should be dropped, right? What if you keep the car on your driveway for longer: 2 hours, 2 days, 2 weeks? When does it become a crime? Can you be guilty of theft if you were allowed to take it, and returned it of your own will, just later than anticipated? Does it matter if the judge believes you had an initial intent to steal the car but changed your mind and returned it? What if you have reasonable grounds to prove you intended from the beginning to return the car after a specific task, 1 day later (as you did)?After all, the practice of letting people test drive relies on trust, just as borrowing a car from a friend.It surly calls for a civil suit for compensating the unreasonably long time they were without the car.Of course, with information there is nothing to compensate for, as you don't take it away from anyone if you copy it - they can still use it. In fact, there is no equivalent to 'returning the car' for information.Also I don't think the classification of the deed should be changed if the car allowed you to engage in illegal activities. Those activities have their own paragraphs. As do using the information in illegal ways.

Apples and oranges, I think. Our laws allow us a panel of peers to determine our innocence or guilt according to the law and the evidence and they are the ones who determine if keeping the car until the police come and arrest you is theft or just an "extension" of the test drive period. If you had signed a contract electronically on their system it would not turn that alleged theft into a hacking case. Or a breaking and entering case. Or a robbery case.

You agree to something - using an "electronic signature" something that most states see as a legal binding agreement, and yet we completely throw it away..

EULAs are normally deemed contracts of adhesion. What this means in practice is that they're not really contracts at all.

If you violate a EULA and are taken to court, the issue is almost certainly going to be decided on one of two principles:1. The "we have the lawyers and the money" principle. Ultimately, a well-heeled corporation can simply run your funds dry if its feeling ornery enough. As a result, most people will simply settle rather than try to fight it out.

2. Implicit contract principles. When you enter into any sort of agreement with another party, there is an implicit contract involved based on a rather fuzzy set of "what seems reasonable" ideas held by the court. However, the exact terms of the contract are minimally relevant. At best, they'd be used to demonstrate that certain provisions are reasonable due to common use.

But I've never heard of a case where a EULA has been deemed a legitimate contract between two parties enforceable in the manner of an actual contract (where the precise terms are legally enforceable as a matter of course).

Quote:

I guess privacy statements and the such from places like facebook have the same inverse...

If I make an intentionally false statement about my product or service in order to gain you as a customer, that's known as fraud.

Why would an EULA not be a contract? If you agree to something on paper its a contract - as I stated before most states now recognize (as of 2005) online signatures and agreements as BINDING contracts... SO that being said would it still not be technically fraud on the end user if they knowingly violate a TOS/EULA?!

Your reasoning cant go both ways...

And just because:

Quote:

When anyone uses any of these, "we are using one computer to send commands to other computers at remote locations," the majority said. "Our access to those remote computers is governed by a series of private agreements and policies that most people are only dimly aware of and virtually no one reads or understands."

WHAT!? Most people dont read or understand the loan document they just signed, or in store credit card application with the 32% interest rate, or the 3 years "free" financing at the furniture store...

Claiming that people are ignorant does not make up for the fact that people are agreeing to and using these services.

An EULA is a contract, but some or all of it may not be a legally binding. It's a unilateral contract, most often ascribed post-purchase, frequently beyond the point of being able to seek a refund for purchased products. Because the opposing party has no ability to consent or reject the terms of the agreement prior to purchase many terms are held the 'reasonable' and 'conscionable' standards in civil courts.

This is basic consumer protection, and an issue that has been in the news with regularity over the past several years, most notably with the inclusion of limitation of class action lawsuit rights and binding arbitration clauses (see Sony, Microsoft, and AT&T). Conversely, if Apple was to put in an EULA for iTunes that in order to re-download any previously purchased material you must pay triple the original cost of the material and sacrifice your first born child, they would likely be sued by consumers and lose as the courts would (hopefully) find that to be a unreasonable or unconscionable contract clause and hence, unenforceable.

Why would an EULA not be a contract? If you agree to something on paper its a contract - as I stated before most states now recognize (as of 2005) online signatures and agreements as BINDING contracts... SO that being said would it still not be technically fraud on the end user if they knowingly violate a TOS/EULA?!

My biggest beef with EULA is that its a click. There is NO way to verify that the person behind the keyboard/mouse is the person who is going to be using that system. For fuck sake I just setup a netbook for a friend this past weekend and installed about a dozen apps and clicked through a dozen EULA. Did she click it or did I? How can she be held to the terms if I'm the one who clicked YES.

An EULA is a contract, but some or all of it may not be a legally binding. It's a unilateral contract, most often ascribed post-purchase, frequently beyond the point of being able to seek a refund for purchased products. Because the opposing party has no ability to consent or reject the terms of the agreement prior to purchase many terms are held the 'reasonable' and 'conscionable' standards in civil courts.

This is basic consumer protection, and an issue that has been in the news with regularity over the past several years, most notably with the inclusion of limitation of class action lawsuit rights and binding arbitration clauses (see Sony, Microsoft, and AT&T). Conversely, if Apple was to put in an EULA for iTunes that in order to re-download any previously purchased material you must pay triple the original cost of the material and sacrifice your first born child, they would likely be sued by consumers and lose as the courts would (hopefully) find that to be a unreasonable or unconscionable contract clause and hence, unenforceable.

A TOS is not post purchase - you agree to a TOS before you sign up for the service... I would have to say that it should be a legally binding agreement just like anything else... If people want to lie and cheat online that is their own problem, but they are doing it in violation of the agreements they "sign" to user certian sites...

This can have an effects on AUPs in the workplace as well... I am just saying that people should read these things and follow them or raise questions if they do not like whats in them... Blindly click agree without reading and then saying its "un-reasonable" is not the answer...

As far as EULAs are concerned I believe they should be pre-purchase - just as a TOS is...

An EULA is a contract, but some or all of it may not be a legally binding. It's a unilateral contract, most often ascribed post-purchase, frequently beyond the point of being able to seek a refund for purchased products. Because the opposing party has no ability to consent or reject the terms of the agreement prior to purchase many terms are held the 'reasonable' and 'conscionable' standards in civil courts.

This is basic consumer protection, and an issue that has been in the news with regularity over the past several years, most notably with the inclusion of limitation of class action lawsuit rights and binding arbitration clauses (see Sony, Microsoft, and AT&T). Conversely, if Apple was to put in an EULA for iTunes that in order to re-download any previously purchased material you must pay triple the original cost of the material and sacrifice your first born child, they would likely be sued by consumers and lose as the courts would (hopefully) find that to be a unreasonable or unconscionable contract clause and hence, unenforceable.

A TOS is not post purchase - you agree to a TOS before you sign up for the service... I would have to say that it should be a legally binding agreement just like anything else... If people want to lie and cheat online that is their own problem, but they are doing it in violation of the agreements they "sign" to user certian sites...

This can have an effects on AUPs in the workplace as well... I am just saying that people should read these things and follow them or raise questions if they do not like whats in them... Blindly click agree without reading and then saying its "un-reasonable" is not the answer...

As far as EULAs are concerned I believe they should be pre-purchase - just as a TOS is...

Regardless of the type of contract, whether it's agreed to pre- or post-purchase, the unenforcability of unconscionable and unreasonable contract clauses is a well codified legal foundation. It prevents abuse of the judicial system by stronger parties strongarming lesser parties in to intentionally unfavorable contracts.

AUPs are not contracts. They are private policy and not enforceable though the courts on their own. That does not preclude that enforcement of AUPS may have legal-related consequences (e.g. job loss, denial of access/service).